Organizations in dark as employees party on with BYOD

Organizations know that employees’ personal mobile devices are sometimes getting onto their networks, but the extent of the problem could be worse than they thought.

A new study by the SANS Institute found that only 9 percent of organizations surveyed were “fully aware” of the devices accessing their networks, and only 50 percent were “vaguely or fairly” aware.

Meanwhile, organizations are scrambling to manage the risk, pursuing everything from user education and mobile device management to Network Access Control and monitoring, SANS said in announcing the study.

The full report, SANS’ First Annual Survey on Mobility Security, produced with Bradford Networks, Hewlett-Packard and MobileIron, will be released April 12 during a webcast.

Among other results, the survey of 500 IT professionals found that fewer than 20 percent of organizations are using endpoint security tools, although the organizations using them are using agent-based, rather than agentless, tools.

"More than 60 percent of organizations today allow staff to bring their own devices," SANS Senior Instructor and survey author Kevin Johnson, said in the announcement. "With this type of permissiveness, policies and controls are even more important to help secure our environments."

The challenge of managing and securing personal devices has been building for some time. A SANS report released in November 2011, “Your Pad or Mine? Enabling Secure Personal and Mobile Device Use On Your Network,” cited Gartner statistics showing that enterprises are aware of only 80 percent of all the devices on their networks.

The unknown 20 percent, often mobile devices including smart phones, tablets, notebooks and even gaming consoles, are unsecured, possibly jailbroken, and are threats to introduce malware to network resources they access, the report said.

Gartner predicted that, as a result of unsecured mobile devices, 80 percent of organizations that have "bring your own device" policies would see a 100 percent increase in botnet infections by 2013.

The report said standardizing or controlling mobile platforms, and using security measures such as Network Access Control, would be critical to preventing compromises.

Government agencies have been developing BYOD policies, in part out of recognition that many people are tied to their smart phones and tablets and are inevitably going to use them in their work. The White House is developing a federal BYOD policy.

But panel members in a session at this week’s FOSE conference warned that the practice could be outstripping policy efforts, Federal Computer Week reported.

The federal government, like other organizations, is adopting BYOD practices out of necessity, said Rob Burton, partner at the Venable LLP law firm. “But this train may be moving too fast,” he said.

Personal devices present a risk to internal networks for a variety of reasons, including the possibility that they could inadvertently introduce malware into systems, create nodes on networks that administrators are unaware of, and expose internal information if the devices are lost or stolen.

Another element of uncertainty is whether agencies have a right to the information on an employee’s phone or other mobile device if it is personally owned.

At FOSE, Burton discussed a recent Supreme Court decision holding that a municipality could download personal information from a city-owned phone issued to a police officer under investigation, FCW reported. Had that phone been personal property, the right to privacy might have changed the ruling, Burton said.

He also noted the potential threat of foreign agents capitalizing on BYOD policies to infiltrate networks.

“We think the cyber issues for BYOD are a huge legal area and will be very tough and challenging for corporations and government agencies,” Burton said.

About the Author

Kevin McCaney is editor of Defense Systems. Follow him on Twitter: @KevinMcCaney.

inside gcn

Reader Comments

Tue, Apr 10, 2012

I agree that such devices pose a threat and agnecies/employers should address them. My issue was with how the article was written. It focuses on the employee in what I consider a negative and flippant way.

Mon, Apr 9, 2012
steve

Even with employees acting responsibly, it introduces an element out of IT's control, and all it takes is one person to compromise the network. The weakest link is almost always the user.

Fri, Apr 6, 2012

Party on? The whole tone is that employees are acting in some kind of cavalier irresponsible way. I'm sure some are, but probably more often these devices are being used for work, becasue the employer is too cheap or short sighted to provide them. It also took me half the article to figure out what BYOD was. Not everyone uses the tech slang of the day.

Please post your comments here. Comments are moderated, so they may not appear immediately
after submitting. We will not post comments that we consider abusive or off-topic.